Germany

Privacy Culture

When it comes to data protection & privacy, Germany can be considered as a leading jurisdiction. Citizens of this country are particularly attuned to the importance of privacy, possibly due to the still living memory of the activities of one of the most hated and feared institutions in former East Germany - the Stasi. In that context, history has proved that, under certain circumstances, the processing of personal data may have grave consequences for an individual. Germans are well aware of the potential harms that result from the processing of personal information. Consequently, German data privacy and protection laws are among the strictest in the world.

According to the EuroBarometer Survey on Data Protection issued by the European Commission 45% of Germans feel they have no control over their information provided online, compared to only 33% in other EU countries. An overwhelming majority of Germans claim to be concerned about their personal data being used for a different purpose than the one it was collected for.

Legal History

Germany has long traditions in data protection. The world's very first Data Protection Act came from the State of Hesse, in 1970. At federal level, a similar act was enacted in 1977. Nowadays, the basic act regulating data protection and privacy in Germany is the German Federal Data Protection Act (Bundesdatenschutzgesetz) (the 'FDPA') that implements the provisions of the EU Data Protection Directive into German law. The FDPA was subject to major amendments in 2009 by the Federal Data Protection Act Amendment Law (Novelle des Bundesdatenschutzgesetzes). In certain industries sector-specific legislation applies. In addition, all of the 16 German states have their own specific data protection laws pertaining to the same areas.

•Social Security Code I, II; IV, V and X- applies to health and personal data in connection with medical and social security services.

Enforcement and Court Action

Germany has a regional rather than a federal system of data protection enforcement, where each German State appoints its own data protection regulator. As a result, there are sixteen state data protection authorities, loosely coordinated by a Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit or BfDI). The Federal Commissioner enforces the federal data security and the information freedom law in Germany and exercises direct supervision over all telecommunication companies. All other private companies are supervised by the data protection authority of the state of their residence.

In general, procedures applied by state data protection authorities are not made public and enforcement cases are rarely reported unless they are matters of public interest. Nevertheless, each year the data protection authorities publish a report on their activities.

The supervisory authorities have the power to:

•Order an audit;

•Impose measures to remedy contraventions of the FDPA;

•Fine organisations (only administrative fines);

•In the event of serious infringements, ban certain procedures.

Generally, contraventions of German data protection laws are actively enforced. Data controllers may be subject to a maximum fine of 300.000,00 EUR per breach. Supervisory authorities also have the power to confiscate profits or benefits derived from violations of data protection laws. In certain circumstances, a violation of data protection law may constitute a criminal offence and be punishable with up to two years of imprisonment or a monetary penalty.

Corporate Risk

In 2013-2014 the highest fines were issued in Bremen (15.000,00 EUR) and Schleswig-Holstein (18.000,00 EUR). In the federal state of Bavaria, 20 fine notices were issued, resulting in 200.000,00 EUR in fines. Berlin's data protection authority issued 25 fine notices amounting in total to 88.205,00 EUR. Hesse issued only 2 fine notices with the total amount fines of 3.500,00 EUR.

Additionally, companies that contravene the privacy law are under a threat of serious financial penalties that can be imposed by the German courts of law. In 2014, a health insurance firm settled a case by paying a fine of 1.900.000,00 EUR for privacy law violations committed over a period of several years. The company unlawfully acquired addresses of public service employees in order to sell private health insurance contracts to them.

In January 2015, the Berlin and Bremen German data protection authorities were among the first DPAs to express their reservations at the reliability of the Safe Harbor scheme, which regulated the flow of personal data between some 4,400 US companies and data controllers in the EU. The Safe Harbor scheme was finally and formally declared invalid by the Court of Justice of the European Union in October 2015.

Future Outlook - Germany and GDPR

The present German requirements are often deemed some of the strictest in the EU by businesses. But Germany is continuously working on strengthening its data protection legal framework. Before the official publication of the new General Data Protection Regulation the German legislator was working on a reform of employee data protection law. The reform seeks to clarify the current regime and regulate all important aspects of employee data protection such as prior medical check-ups.

Due to the strict data protection requirement it was deemed that Germany will not have to adapt much to the new GDPR. For example, Germany was the only country to mandate the role of Data Protection Officer from 2001 onwards. But the GDPR will affect the German privacy and data protection legislation. It will increase the responsibilities of data processors (e.g. the processor will have to assist the controller in determining which security measures are appropriate) and impose a prior written consent obligation for sub-contracting. The current German requirement to sign data processor agreements in writing will be amended so that such contracts can be concluded in electronic form from 2018 onwards. The GDPR could also reduce the amount of unnecessary paperwork with regard to EC Model Clauses in Germany and it will expand the certification as means of compliance.

Our consultants have been leading the way in data privacy/protection recruitment since the earlier years of data protection legislation

Specialists in data protection recruitment for all sectors and all international geographies

We hire privacy focused law graduates and CIPP qualified candidates for our own in-house research team.

DPR have market-leading data protection and information governance recruitment experience, and always provide a professional efficient and friendly service.

Head of Data Protection Consulting.

Hugo at DPR who manages the team has been the leading name in data privacy/protection recruitment from the beginning, DPR is the leading company in data privacy recruitment and they deliver on UK and international vacancies efficiently and effectively.

Deputy Chief Privacy Officer

If you need to recruit additional support or leadership within your organisation, or if you are interested in developing your own data protection career, then I highly recommend Data Privacy Recruitment Ltd.

Senior Executive, International Data Privacy

Data Privacy recruitment provided in-depth information about the UK privacy legal services market both in-house and private practice, their knowledge of the market is outstanding. For me it was their professionalism and support that really made the difference, I would highly recommend to any lawyer who is looking to further develop their career in the privacy market

Data Privacy Lawyer

DPR

"Always professional, confidential and reliable, our success is as a result of market knowledge, experience and how we work with our clients and candidates."

Address

Data Privacy Recruitment LTDLondon

Notice:
Data Privacy Recruitment has updated its website in compliance with the
EU Cookie Legislation.
Please review our policy to find out about which cookies we use and what information we collect on our website.
By continuing to use this site, you are agreeing to our policy.